diff -up qt-everywhere-opensource-src-4.6.3/src/3rdparty/webkit/WebCore/dom/Element.cpp.CVE-2010-1398 qt-everywhere-opensource-src-4.6.3/src/3rdparty/webkit/WebCore/dom/Element.cpp --- qt-everywhere-opensource-src-4.6.3/src/3rdparty/webkit/WebCore/dom/Element.cpp.CVE-2010-1398 2010-06-02 04:03:12.000000000 +0200 +++ qt-everywhere-opensource-src-4.6.3/src/3rdparty/webkit/WebCore/dom/Element.cpp 2010-06-11 16:12:55.750525354 +0200 @@ -35,6 +35,7 @@ #include "ClientRect.h" #include "ClientRectList.h" #include "Document.h" +#include "DocumentFragment.h" #include "ElementRareData.h" #include "ExceptionCode.h" #include "FocusController.h" @@ -42,6 +43,7 @@ #include "FrameView.h" #include "HTMLElement.h" #include "HTMLNames.h" +#include "HTMLTokenizer.h" #include "NamedNodeMap.h" #include "NodeList.h" #include "NodeRenderStyle.h" @@ -49,6 +51,7 @@ #include "RenderView.h" #include "TextIterator.h" #include "XMLNames.h" +#include "XMLTokenizer.h" #if ENABLE(SVG) #include "SVGNames.h" @@ -91,6 +94,51 @@ NodeRareData* Element::createRareData() { return new ElementRareData; } + +PassRefPtr Element::createContextualFragment(const String& markup) +{ + RefPtr fragment = DocumentFragment::create(document()); + + if (document()->isHTMLDocument()) + parseHTMLDocumentFragment(markup, fragment.get()); + else { + if (!parseXMLDocumentFragment(markup, fragment.get(), this)) + // FIXME: We should propagate a syntax error exception out here. + return 0; + } + + // Exceptions are ignored because none ought to happen here. + ExceptionCode ignoredExceptionCode; + + // We need to pop and elements and remove to + // accommodate folks passing complete HTML documents to make the + // child of an element. + + RefPtr nextNode; + for (RefPtr node = fragment->firstChild(); node; node = nextNode) { + nextNode = node->nextSibling(); + if (node->hasTagName(htmlTag) || node->hasTagName(bodyTag)) { + Node* firstChild = node->firstChild(); + if (firstChild) + nextNode = firstChild; + RefPtr nextChild; + for (RefPtr child = firstChild; child; child = nextChild) { + nextChild = child->nextSibling(); + node->removeChild(child.get(), ignoredExceptionCode); + ASSERT(!ignoredExceptionCode); + fragment->insertBefore(child, node.get(), ignoredExceptionCode); + ASSERT(!ignoredExceptionCode); + } + fragment->removeChild(node.get(), ignoredExceptionCode); + ASSERT(!ignoredExceptionCode); + } else if (node->hasTagName(headTag)) { + fragment->removeChild(node.get(), ignoredExceptionCode); + ASSERT(!ignoredExceptionCode); + } + } + + return fragment.release(); +} PassRefPtr Element::cloneNode(bool deep) { diff -up qt-everywhere-opensource-src-4.6.3/src/3rdparty/webkit/WebCore/dom/Element.h.CVE-2010-1398 qt-everywhere-opensource-src-4.6.3/src/3rdparty/webkit/WebCore/dom/Element.h --- qt-everywhere-opensource-src-4.6.3/src/3rdparty/webkit/WebCore/dom/Element.h.CVE-2010-1398 2010-06-02 04:03:12.000000000 +0200 +++ qt-everywhere-opensource-src-4.6.3/src/3rdparty/webkit/WebCore/dom/Element.h 2010-06-14 16:54:57.639394749 +0200 @@ -28,6 +28,7 @@ #include "ContainerNode.h" #include "QualifiedName.h" #include "ScrollTypes.h" +#include "DocumentFragment.h" namespace WebCore { @@ -89,6 +90,8 @@ public: DEFINE_ATTRIBUTE_EVENT_LISTENER(search); DEFINE_ATTRIBUTE_EVENT_LISTENER(selectstart); + virtual PassRefPtr createContextualFragment(const String&); + const AtomicString& getIDAttribute() const; bool hasAttribute(const QualifiedName&) const; const AtomicString& getAttribute(const QualifiedName&) const; diff -up qt-everywhere-opensource-src-4.6.3/src/3rdparty/webkit/WebCore/editing/markup.cpp.CVE-2010-1398 qt-everywhere-opensource-src-4.6.3/src/3rdparty/webkit/WebCore/editing/markup.cpp --- qt-everywhere-opensource-src-4.6.3/src/3rdparty/webkit/WebCore/editing/markup.cpp.CVE-2010-1398 2010-06-02 04:03:10.000000000 +0200 +++ qt-everywhere-opensource-src-4.6.3/src/3rdparty/webkit/WebCore/editing/markup.cpp 2010-06-11 16:12:55.752525451 +0200 @@ -1054,11 +1054,7 @@ String createMarkup(const Range* range, PassRefPtr createFragmentFromMarkup(Document* document, const String& markup, const String& baseURL) { - ASSERT(document->documentElement()->isHTMLElement()); - // FIXME: What if the document element is not an HTML element? - HTMLElement *element = static_cast(document->documentElement()); - - RefPtr fragment = element->createContextualFragment(markup); + RefPtr fragment = document->documentElement()->createContextualFragment(markup); if (fragment && !baseURL.isEmpty() && baseURL != blankURL() && baseURL != document->baseURL()) completeURLs(fragment.get(), baseURL); diff -up qt-everywhere-opensource-src-4.6.3/src/3rdparty/webkit/WebCore/html/HTMLElement.cpp.CVE-2010-1398 qt-everywhere-opensource-src-4.6.3/src/3rdparty/webkit/WebCore/html/HTMLElement.cpp --- qt-everywhere-opensource-src-4.6.3/src/3rdparty/webkit/WebCore/html/HTMLElement.cpp.CVE-2010-1398 2010-06-02 04:03:10.000000000 +0200 +++ qt-everywhere-opensource-src-4.6.3/src/3rdparty/webkit/WebCore/html/HTMLElement.cpp 2010-06-11 16:12:55.753537613 +0200 @@ -235,9 +235,9 @@ String HTMLElement::outerHTML() const return createMarkup(this); } -PassRefPtr HTMLElement::createContextualFragment(const String &html) +PassRefPtr HTMLElement::createContextualFragment(const String &markup) { - // the following is in accordance with the definition as used by IE + // The following is in accordance with the definition as used by IE. if (endTagRequirement() == TagStatusForbidden) return 0; @@ -245,47 +245,7 @@ PassRefPtr HTMLElement hasLocalName(headTag) || hasLocalName(styleTag) || hasLocalName(titleTag)) return 0; - RefPtr fragment = DocumentFragment::create(document()); - - if (document()->isHTMLDocument()) - parseHTMLDocumentFragment(html, fragment.get()); - else { - if (!parseXMLDocumentFragment(html, fragment.get(), this)) - // FIXME: We should propagate a syntax error exception out here. - return 0; - } - - // Exceptions are ignored because none ought to happen here. - int ignoredExceptionCode; - - // we need to pop and elements and remove to - // accommodate folks passing complete HTML documents to make the - // child of an element. - - RefPtr nextNode; - for (RefPtr node = fragment->firstChild(); node; node = nextNode) { - nextNode = node->nextSibling(); - if (node->hasTagName(htmlTag) || node->hasTagName(bodyTag)) { - Node *firstChild = node->firstChild(); - if (firstChild) - nextNode = firstChild; - RefPtr nextChild; - for (RefPtr child = firstChild; child; child = nextChild) { - nextChild = child->nextSibling(); - node->removeChild(child.get(), ignoredExceptionCode); - ASSERT(!ignoredExceptionCode); - fragment->insertBefore(child, node.get(), ignoredExceptionCode); - ASSERT(!ignoredExceptionCode); - } - fragment->removeChild(node.get(), ignoredExceptionCode); - ASSERT(!ignoredExceptionCode); - } else if (node->hasTagName(headTag)) { - fragment->removeChild(node.get(), ignoredExceptionCode); - ASSERT(!ignoredExceptionCode); - } - } - - return fragment.release(); + return Element::createContextualFragment(markup); } static inline bool hasOneChild(ContainerNode* node) @@ -371,7 +331,7 @@ void HTMLElement::setOuterHTML(const Str void HTMLElement::setInnerText(const String& text, ExceptionCode& ec) { - // follow the IE specs about when this is allowed + // Follow the IE specs about when this is allowed. if (endTagRequirement() == TagStatusForbidden) { ec = NO_MODIFICATION_ALLOWED_ERR; return; @@ -441,7 +401,7 @@ void HTMLElement::setInnerText(const Str void HTMLElement::setOuterText(const String &text, ExceptionCode& ec) { - // follow the IE specs about when this is allowed + // Follow the IE specs about when this is allowed. if (endTagRequirement() == TagStatusForbidden) { ec = NO_MODIFICATION_ALLOWED_ERR; return; @@ -469,7 +429,7 @@ void HTMLElement::setOuterText(const Str if (ec) return; - // is previous node a text node? if so, merge into it + // Is previous node a text node? If so, merge into it. Node* prev = t->previousSibling(); if (prev && prev->isTextNode()) { Text* textPrev = static_cast(prev); @@ -482,7 +442,7 @@ void HTMLElement::setOuterText(const Str t = textPrev; } - // is next node a text node? if so, merge it in + // Is next node a text node? If so, merge it in. Node* next = t->nextSibling(); if (next && next->isTextNode()) { Text* textNext = static_cast(next); @@ -522,7 +482,7 @@ Node* HTMLElement::insertAdjacent(const return 0; } - // IE throws COM Exception E_INVALIDARG; this is the best DOM exception alternative + // IE throws COM Exception E_INVALIDARG; this is the best DOM exception alternative. ec = NOT_SUPPORTED_ERR; return 0; } @@ -530,7 +490,7 @@ Node* HTMLElement::insertAdjacent(const Element* HTMLElement::insertAdjacentElement(const String& where, Element* newChild, ExceptionCode& ec) { if (!newChild) { - // IE throws COM Exception E_INVALIDARG; this is the best DOM exception alternative + // IE throws COM Exception E_INVALIDARG; this is the best DOM exception alternative. ec = TYPE_MISMATCH_ERR; return 0; } @@ -567,8 +527,8 @@ void HTMLElement::addHTMLAlignment(Mappe void HTMLElement::addHTMLAlignmentToStyledElement(StyledElement* element, MappedAttribute* attr) { - // vertical alignment with respect to the current baseline of the text - // right or left means floating images + // Vertical alignment with respect to the current baseline of the text + // right or left means floating images. int floatValue = CSSValueInvalid; int verticalAlignValue = CSSValueInvalid;